Cyber ​​attack to the Bank of Chile reopens debate on legislation on cybersecurity

On May 24, the Bank of Chile was the victim of a cyber attack involving various entities in South America’s financial system. They ended up settling with the theft of 10 million dollars of bank funds.

As has been published in various media outlets and further elaborated upon by CEO Eduardo Ebensperger, the cyberdelicuentes introduced a computer virus as a decoy. (identified as SWAPQ malware). According to further research, it is a virus that had never attacked before.

This malware caused anomalies in the operation of the IT equipment, symptoms that triggered alarms and activated security protocols. At the same time, a series of fraudulent transactions were started through the SWIFT network, proceeding to transfer funds to Hong Kong.

When those responsible for security realized the real objective of the attack, they proceeded to cancel the transactions. This contained the incident and only 4 fraudulent transactions were completed.

Was the cyber attack properly addressed?

After having overcome an attack of this nature, there follows a time for reflection. In this specific case, there are divergent opinions on whether the handling of this cyber attack was as transparent as it could have been.

According to Bank sources, the president of BancoEstado was alerted a few hours after the incident in an effort to protect the inter-bank payment system. However, it took several days to relay this information to the public. They argued that it was for strategic reasons.

This was followed by several meetings with government entities such as the Ministry of Finance and the Superintendent of Banks “Mario Farren”. It was decided to go to various international organizations in order to ask what exactly happened and what legal actions should be taken.

At the end of June, they requested technical assistance from the International Monetary Fund (IMF), and at the beginning of July they filed a lawsuit with the Ketuo Trade Limited company in Hong Kong. This lawsuit requested the return of $5,488,590 dollars that was transferred to one of their Citibank accounts after the hack.

Apparently the response phases were as expected: detect, stop the threat, communicate to the authorities, investigate the causes, seek international support, take legal action, etc. The question is whether it is really permissible to hide this type of information from public opinion, and if there are enough technical and legal mechanisms to prevent and mitigate this type of threat.

Is it necessary to improve legislation on cybersecurity?

According to Alexander Seger (director of the cybercrime division of the Council of Europe): “Nothing is a crime, not even in the cyber world, unless it is defined by law.” So to effectively address the growth of cyberthreats, we must build legislation in accordance with this new reality.

Although the European Union is working to strengthen cybersecurity, in other regions (like Latin America) there is still a long way to go.

The President of the IDB (Inter-American Development Bank), Luis Alberto Moreno, stated in a report prepared in 2016: “In Latin America and the Caribbean, this type of crime costs around 90 million dollars a year” (84,200 million euros) [ 15% in the world count].

Although Chile is one of the South American countries that started developing plans to respond to cyber attacks, the law currently in enforced dates back to 1993. This outdated law is surely not enough to address the magnitude and seriousness of today’s incidents.

Thinking in terms of globalization, it is important to consider that with growth of the digital market, vulnerabilities grow as well. It is prudent to think of cybersecurity as a global problem, beyond borders. Investing in improving the cybernetic protection of the Latin American market seems to be an intelligent decision. They are economies in expansion, and their vulnerabilities can indirectly expose European systems to similar problems.